diff options
author | Ovidiu Panait <ovidiu.panait@windriver.com> | 2019-07-29 07:20:58 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-29 23:50:43 +0100 |
commit | e6058824bbd6c9786368d79fa5a69c230219d112 (patch) | |
tree | 9a5062fe31b796da05b7e10d133acfdd8b349f15 /meta | |
parent | 885459d264e8fa1472142ff0ce02cbce91e630a0 (diff) | |
download | poky-e6058824bbd6c9786368d79fa5a69c230219d112.tar.gz |
ghostscript: Fix 3 CVEs
It was discovered that the ghostscript /invalidaccess checks fail under
certain conditions. An attacker could possibly exploit this to bypass
the -dSAFER protection and, for example, execute arbitrary shell commands
via a specially crafted PostScript document.
It was found that the superexec operator was available in the internal
dictionary in ghostscript before 9.27. A specially crafted PostScript
file could use this flaw in order to, for example, have access to the
file system outside of the constrains imposed by -dSAFER.
It was found that the forceput operator could be extracted from the
DefineResource method in ghostscript before 9.27. A specially crafted
PostScript file could use this flaw in order to, for example, have
access to the file system outside of the constrains imposed by -dSAFER.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6116
https://www.openwall.com/lists/oss-security/2019/01/23/5
https://nvd.nist.gov/vuln/detail/CVE-2019-3835
https://nvd.nist.gov/vuln/detail/CVE-2019-3838
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e
(From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18)
(From OE-Core rev: cf5d29dcac6247e8476f7af78b4e0bb129b94677)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fix for CVE-2019-6116 is already in thud, so that has been removed]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
7 files changed, 702 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch new file mode 100644 index 0000000000..30ce04a7b1 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0001.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | From ad3ad6b389653722507e588c5cb34d8731e49e89 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Mon, 26 Nov 2018 18:01:25 +0000 | ||
4 | Subject: [PATCH] Have gs_cet.ps run from gs_init.ps | ||
5 | |||
6 | Previously gs_cet.ps was run on the command line, to set up the interpreter | ||
7 | state so our output more closely matches the example output for the QL CET | ||
8 | tests. | ||
9 | |||
10 | Allow a -dCETMODE command line switch, which will cause gs_init.ps to run the | ||
11 | file directly. | ||
12 | |||
13 | This works better for gpdl as it means the changes are made in the intial | ||
14 | interpreter state, rather than after initialisation is complete. | ||
15 | |||
16 | This also means adding a definition of the default procedure for black | ||
17 | generation and under color removal (rather it being defined in-line in | ||
18 | .setdefaultbgucr | ||
19 | |||
20 | Also, add a check so gs_cet.ps only runs once - if we try to run it a second | ||
21 | time, we'll just skip over the file, flushing through to the end. | ||
22 | |||
23 | CVE: CVE-2019-3835 | ||
24 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
25 | |||
26 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
27 | --- | ||
28 | Resource/Init/gs_cet.ps | 11 ++++++++++- | ||
29 | Resource/Init/gs_init.ps | 13 ++++++++++++- | ||
30 | 2 files changed, 22 insertions(+), 2 deletions(-) | ||
31 | |||
32 | diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps | ||
33 | index d3e1686..75534bb 100644 | ||
34 | --- a/Resource/Init/gs_cet.ps | ||
35 | +++ b/Resource/Init/gs_cet.ps | ||
36 | @@ -1,6 +1,11 @@ | ||
37 | %!PS | ||
38 | % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET | ||
39 | |||
40 | +systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq | ||
41 | +{ | ||
42 | + (%END GS_CET) .skipeof | ||
43 | +} if | ||
44 | + | ||
45 | % do this in the server level so it is persistent across jobs | ||
46 | //true 0 startjob not { | ||
47 | (*** Warning: CET startup is not in server default) = flush | ||
48 | @@ -25,7 +30,9 @@ currentglobal //true setglobal | ||
49 | |||
50 | /UNROLLFORMS true def | ||
51 | |||
52 | -{ } bind dup | ||
53 | +(%.defaultbgrucrproc) cvn { } bind def | ||
54 | + | ||
55 | +(%.defaultbgrucrproc) cvn load dup | ||
56 | setblackgeneration | ||
57 | setundercolorremoval | ||
58 | 0 array cvx readonly dup dup dup setcolortransfer | ||
59 | @@ -109,3 +116,5 @@ userdict /.smoothness currentsmoothness put | ||
60 | % end of slightly nasty hack to give consistent cluster results | ||
61 | |||
62 | //false 0 startjob pop % re-enter encapsulated mode | ||
63 | + | ||
64 | +%END GS_CET | ||
65 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
66 | index 45bebf4..e6b9cd2 100644 | ||
67 | --- a/Resource/Init/gs_init.ps | ||
68 | +++ b/Resource/Init/gs_init.ps | ||
69 | @@ -1538,10 +1538,18 @@ setpacking | ||
70 | % any-part-of-pixel rule. | ||
71 | 0.5 .setfilladjust | ||
72 | } bind def | ||
73 | + | ||
74 | % Set the default screen and BG/UCR. | ||
75 | +% We define the proc here, rather than inline in .setdefaultbgucr | ||
76 | +% for the benefit of gs_cet.ps so jobs that do anything that causes | ||
77 | +% .setdefaultbgucr to be called will still get the redefined proc | ||
78 | +% in gs_cet.ps | ||
79 | +(%.defaultbgrucrproc) cvn { pop 0 } def | ||
80 | + | ||
81 | /.setdefaultbgucr { | ||
82 | systemdict /setblackgeneration known { | ||
83 | - { pop 0 } dup setblackgeneration setundercolorremoval | ||
84 | + (%.defaultbgrucrproc) cvn load dup | ||
85 | + setblackgeneration setundercolorremoval | ||
86 | } if | ||
87 | } bind def | ||
88 | /.useloresscreen { % - .useloresscreen <bool> | ||
89 | @@ -2491,4 +2499,7 @@ WRITESYSTEMDICT { | ||
90 | % be 'true' in some cases. | ||
91 | userdict /AGM_preserve_spots //false put | ||
92 | |||
93 | +systemdict /CETMODE .knownget | ||
94 | +{ { (gs_cet.ps) runlibfile } if } if | ||
95 | + | ||
96 | % The interpreter will run the initial procedure (start). | ||
97 | -- | ||
98 | 2.18.1 | ||
99 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch new file mode 100644 index 0000000000..590b92e186 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0002.patch | |||
@@ -0,0 +1,71 @@ | |||
1 | From ba6dbd6e61dbb3cc6ee6db9dd3a4f70cc18f706e Mon Sep 17 00:00:00 2001 | ||
2 | From: Nancy Durgin <nancy.durgin@artifex.com> | ||
3 | Date: Thu, 14 Feb 2019 10:09:00 -0800 | ||
4 | Subject: [PATCH] Undef /odef in gs_init.ps | ||
5 | |||
6 | Made a new temporary utility function in gs_cet.ps (.odef) to use instead | ||
7 | of /odef. This makes it fine to undef odef with all the other operators in | ||
8 | gs_init.ps | ||
9 | |||
10 | This punts the bigger question of what to do with .makeoperator, but it | ||
11 | doesn't make the situation any worse than it already was. | ||
12 | |||
13 | CVE: CVE-2019-3835 | ||
14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
15 | |||
16 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
17 | --- | ||
18 | Resource/Init/gs_cet.ps | 10 ++++++++-- | ||
19 | Resource/Init/gs_init.ps | 1 + | ||
20 | 2 files changed, 9 insertions(+), 2 deletions(-) | ||
21 | |||
22 | diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps | ||
23 | index 75534bb..dbc5c4e 100644 | ||
24 | --- a/Resource/Init/gs_cet.ps | ||
25 | +++ b/Resource/Init/gs_cet.ps | ||
26 | @@ -1,6 +1,10 @@ | ||
27 | %!PS | ||
28 | % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET | ||
29 | |||
30 | +/.odef { % <name> <proc> odef - | ||
31 | + 1 index exch .makeoperator def | ||
32 | +} bind def | ||
33 | + | ||
34 | systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq | ||
35 | { | ||
36 | (%END GS_CET) .skipeof | ||
37 | @@ -93,8 +97,8 @@ userdict /.smoothness currentsmoothness put | ||
38 | } { | ||
39 | /setsmoothness .systemvar /typecheck signalerror | ||
40 | } ifelse | ||
41 | -} bind odef | ||
42 | -/currentsmoothness { userdict /.smoothness get } bind odef % for 09-55.PS, 09-57.PS . | ||
43 | +} bind //.odef exec | ||
44 | +/currentsmoothness { userdict /.smoothness get } bind //.odef exec % for 09-55.PS, 09-57.PS . | ||
45 | |||
46 | % slightly nasty hack to give consistent cluster results | ||
47 | /ofnfa systemdict /filenameforall get def | ||
48 | @@ -113,6 +117,8 @@ userdict /.smoothness currentsmoothness put | ||
49 | } ifelse | ||
50 | ofnfa | ||
51 | } bind def | ||
52 | + | ||
53 | +currentdict /.odef undef | ||
54 | % end of slightly nasty hack to give consistent cluster results | ||
55 | |||
56 | //false 0 startjob pop % re-enter encapsulated mode | ||
57 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
58 | index e6b9cd2..80d9585 100644 | ||
59 | --- a/Resource/Init/gs_init.ps | ||
60 | +++ b/Resource/Init/gs_init.ps | ||
61 | @@ -2257,6 +2257,7 @@ SAFER { .setsafeglobal } if | ||
62 | /.systemvmSFD /.settrapparams /.currentsystemparams /.currentuserparams /.getsystemparam /.getuserparam /.setsystemparams /.setuserparams | ||
63 | /.checkpassword /.locale_to_utf8 /.currentglobal /.gcheck /.imagepath /.currentoutputdevice | ||
64 | /.type /.writecvs /.setSMask /.currentSMask /.needinput /.countexecstack /.execstack /.applypolicies | ||
65 | + /odef | ||
66 | |||
67 | % Used by a free user in the Library of Congress. Apparently this is used to | ||
68 | % draw a partial page, which is then filled in by the results of a barcode | ||
69 | -- | ||
70 | 2.18.1 | ||
71 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch new file mode 100644 index 0000000000..a339fa2f33 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0003.patch | |||
@@ -0,0 +1,295 @@ | |||
1 | From 4203e04ef9e6ca22ed68a1ab10a878aa9ceaeedc Mon Sep 17 00:00:00 2001 | ||
2 | From: Ray Johnston <ray.johnston@artifex.com> | ||
3 | Date: Thu, 14 Feb 2019 10:20:03 -0800 | ||
4 | Subject: [PATCH] Fix bug 700585: Restrict superexec and remove it from | ||
5 | internals and gs_cet.ps | ||
6 | |||
7 | Also while changing things, restructure the CETMODE so that it will | ||
8 | work with -dSAFER. The gs_cet.ps is now run when we are still at save | ||
9 | level 0 with systemdict writeable. Allows us to undefine .makeoperator | ||
10 | and .setCPSImode internal operators after CETMODE is handled. | ||
11 | |||
12 | Change previous uses of superexec to using .forceput (with the usual | ||
13 | .bind executeonly to hide it). | ||
14 | |||
15 | CVE: CVE-2019-3835 | ||
16 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
17 | |||
18 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
19 | --- | ||
20 | Resource/Init/gs_cet.ps | 38 ++++++++++++++------------------------ | ||
21 | Resource/Init/gs_dps1.ps | 2 +- | ||
22 | Resource/Init/gs_fonts.ps | 8 ++++---- | ||
23 | Resource/Init/gs_init.ps | 38 +++++++++++++++++++++++++++----------- | ||
24 | Resource/Init/gs_ttf.ps | 8 ++++---- | ||
25 | Resource/Init/gs_type1.ps | 6 +++--- | ||
26 | 6 files changed, 53 insertions(+), 47 deletions(-) | ||
27 | |||
28 | diff --git a/Resource/Init/gs_cet.ps b/Resource/Init/gs_cet.ps | ||
29 | index dbc5c4e..3cc6883 100644 | ||
30 | --- a/Resource/Init/gs_cet.ps | ||
31 | +++ b/Resource/Init/gs_cet.ps | ||
32 | @@ -1,37 +1,29 @@ | ||
33 | %!PS | ||
34 | % Set defaults for Ghostscript to match Adobe CPSI behaviour for CET | ||
35 | |||
36 | -/.odef { % <name> <proc> odef - | ||
37 | - 1 index exch .makeoperator def | ||
38 | -} bind def | ||
39 | - | ||
40 | +% skip if we've already run this -- based on fake "product" | ||
41 | systemdict /product get (PhotoPRINT SE 5.0v2) readonly eq | ||
42 | { | ||
43 | (%END GS_CET) .skipeof | ||
44 | } if | ||
45 | |||
46 | -% do this in the server level so it is persistent across jobs | ||
47 | -//true 0 startjob not { | ||
48 | - (*** Warning: CET startup is not in server default) = flush | ||
49 | -} if | ||
50 | +% Note: this must be run at save level 0 and when systemdict is writeable | ||
51 | +currentglobal //true setglobal | ||
52 | +systemdict dup dup dup | ||
53 | +/version (3017.102) readonly .forceput % match CPSI 3017.102 | ||
54 | +/product (PhotoPRINT SE 5.0v2) readonly .forceput % match CPSI 3017.102 | ||
55 | +/revision 0 put % match CPSI 3017.103 Tek shows revision 5 | ||
56 | +/serialnumber dup {233640} readonly .makeoperator .forceput % match CPSI 3017.102 Tek shows serialnumber 1401788461 | ||
57 | + | ||
58 | +systemdict /.odef { % <name> <proc> odef - | ||
59 | + 1 index exch //.makeoperator def | ||
60 | +} .bind .forceput % this will be undefined at the end | ||
61 | |||
62 | 300 .sethiresscreen % needed for language switch build since it | ||
63 | % processes gs_init.ps BEFORE setting the resolution | ||
64 | |||
65 | 0 array 0 setdash % CET 09-08 wants local setdash | ||
66 | |||
67 | -currentglobal //true setglobal | ||
68 | - | ||
69 | -{ | ||
70 | - systemdict dup dup dup | ||
71 | - /version (3017.102) readonly put % match CPSI 3017.102 | ||
72 | - /product (PhotoPRINT SE 5.0v2) readonly put % match CPSI 3017.102 | ||
73 | - /revision 0 put % match CPSI 3017.103 Tek shows revision 5 | ||
74 | - /serialnumber dup {233640} readonly .makeoperator put % match CPSI 3017.102 Tek shows serialnumber 1401788461 | ||
75 | - systemdict /deviceinfo undef % for CET 20-23-1 | ||
76 | -% /UNROLLFORMS true put % CET files do unreasonable things inside forms | ||
77 | -} 1183615869 internaldict /superexec get exec | ||
78 | - | ||
79 | /UNROLLFORMS true def | ||
80 | |||
81 | (%.defaultbgrucrproc) cvn { } bind def | ||
82 | @@ -118,9 +110,7 @@ userdict /.smoothness currentsmoothness put | ||
83 | ofnfa | ||
84 | } bind def | ||
85 | |||
86 | -currentdict /.odef undef | ||
87 | -% end of slightly nasty hack to give consistent cluster results | ||
88 | - | ||
89 | -//false 0 startjob pop % re-enter encapsulated mode | ||
90 | +systemdict /.odef .undef | ||
91 | |||
92 | +% end of slightly nasty hack to give consistent cluster results | ||
93 | %END GS_CET | ||
94 | diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps | ||
95 | index 3d2cf7a..c4fd839 100644 | ||
96 | --- a/Resource/Init/gs_dps1.ps | ||
97 | +++ b/Resource/Init/gs_dps1.ps | ||
98 | @@ -89,7 +89,7 @@ level2dict begin | ||
99 | % definition, copy it into the local directory. | ||
100 | //systemdict /SharedFontDirectory .knownget | ||
101 | { 1 index .knownget | ||
102 | - { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly | ||
103 | + { //.FontDirectory 2 index 3 -1 roll .forceput } % readonly | ||
104 | if | ||
105 | } | ||
106 | if | ||
107 | diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps | ||
108 | index 0562235..f2b4e19 100644 | ||
109 | --- a/Resource/Init/gs_fonts.ps | ||
110 | +++ b/Resource/Init/gs_fonts.ps | ||
111 | @@ -519,11 +519,11 @@ buildfontdict 3 /.buildfont3 cvx put | ||
112 | % the font in LocalFontDirectory. | ||
113 | .currentglobal | ||
114 | { //systemdict /LocalFontDirectory .knownget | ||
115 | - { 2 index 2 index { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly | ||
116 | + { 2 index 2 index .forceput } % readonly | ||
117 | if | ||
118 | } | ||
119 | if | ||
120 | - dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly | ||
121 | + dup //.FontDirectory 4 -2 roll .forceput % readonly | ||
122 | % If the font originated as a resource, register it. | ||
123 | currentfile .currentresourcefile eq { dup .registerfont } if | ||
124 | readonly | ||
125 | @@ -1191,13 +1191,13 @@ $error /SubstituteFont { } put | ||
126 | //.FontDirectory 1 index known not { | ||
127 | 2 dict dup /FontName 3 index put | ||
128 | dup /FontType 1 put | ||
129 | - //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly | ||
130 | + //.FontDirectory 3 1 roll //.forceput exec % readonly | ||
131 | } { | ||
132 | pop | ||
133 | } ifelse | ||
134 | } forall | ||
135 | } forall | ||
136 | - } | ||
137 | + } executeonly % hide .forceput | ||
138 | FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined | ||
139 | |||
140 | % Install initial fonts from Fontmap. | ||
141 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
142 | index 80d9585..0d5c4f7 100644 | ||
143 | --- a/Resource/Init/gs_init.ps | ||
144 | +++ b/Resource/Init/gs_init.ps | ||
145 | @@ -2188,9 +2188,6 @@ SAFER { .setsafeglobal } if | ||
146 | /.endtransparencygroup % transparency-example.ps | ||
147 | /.setdotlength % Bug687720.ps | ||
148 | /.sort /.setdebug /.mementolistnewblocks /getenv | ||
149 | - | ||
150 | - /.makeoperator /.setCPSImode % gs_cet.ps, this won't work on cluster with -dSAFER | ||
151 | - | ||
152 | /unread | ||
153 | ] | ||
154 | {systemdict exch .forceundef} forall | ||
155 | @@ -2270,7 +2267,6 @@ SAFER { .setsafeglobal } if | ||
156 | |||
157 | % Used by our own test suite files | ||
158 | %/.fileposition %image-qa.ps | ||
159 | - %/.makeoperator /.setCPSImode % gs_cet.ps | ||
160 | |||
161 | % Either our code uses these in ways which mean they can't be undefined, or they are used directly by | ||
162 | % test files/utilities, or engineers expressed a desire to keep them visible. | ||
163 | @@ -2457,6 +2453,16 @@ end | ||
164 | /vmreclaim where | ||
165 | { pop NOGC not { 2 .vmreclaim 0 vmreclaim } if | ||
166 | } if | ||
167 | + | ||
168 | +% Do this before systemdict is locked (see below for additional CETMODE setup using gs_cet.ps) | ||
169 | +systemdict /CETMODE .knownget { | ||
170 | + { | ||
171 | + (gs_cet.ps) runlibfile | ||
172 | + } if | ||
173 | +} if | ||
174 | +systemdict /.makeoperator .undef % must be after gs_cet.ps | ||
175 | +systemdict /.setCPSImode .undef % must be after gs_cet.ps | ||
176 | + | ||
177 | DELAYBIND not { | ||
178 | systemdict /.bindnow .undef % We only need this for DELAYBIND | ||
179 | systemdict /.forcecopynew .undef % remove temptation | ||
180 | @@ -2464,16 +2470,29 @@ DELAYBIND not { | ||
181 | systemdict /.forceundef .undef % ditto | ||
182 | } if | ||
183 | |||
184 | -% Move superexec to internaldict if superexec is defined. | ||
185 | -systemdict /superexec .knownget { | ||
186 | - 1183615869 internaldict /superexec 3 -1 roll put | ||
187 | - systemdict /superexec .undef | ||
188 | +% Move superexec to internaldict if superexec is defined. (Level 2 or later) | ||
189 | +systemdict /superexec known { | ||
190 | + % restrict superexec to single known use by PScript5.dll | ||
191 | + % We could do this only for SAFER mode, but internaldict and superexec are | ||
192 | + % not very well documented, and we don't want them to be used. | ||
193 | + 1183615869 internaldict /superexec { | ||
194 | + 2 index /Private eq % first check for typical use in PScript5.dll | ||
195 | + 1 index length 1 eq and % expected usage is: dict /Private <value> {put} superexec | ||
196 | + 1 index 0 get systemdict /put get eq and | ||
197 | + { | ||
198 | + //superexec exec % the only usage we allow | ||
199 | + } { | ||
200 | + /superexec load /invalidaccess signalerror | ||
201 | + } ifelse | ||
202 | + } bind cvx executeonly put | ||
203 | + systemdict /superexec .undef % get rid of the dangerous (unrestricted) operator | ||
204 | } if | ||
205 | |||
206 | % Can't remove this one until the last minute :-) | ||
207 | DELAYBIND not { | ||
208 | systemdict /.undef .undef | ||
209 | } if | ||
210 | + | ||
211 | WRITESYSTEMDICT { | ||
212 | SAFER { | ||
213 | (\n *** WARNING - you have selected SAFER, indicating you want Ghostscript\n) print | ||
214 | @@ -2500,7 +2519,4 @@ WRITESYSTEMDICT { | ||
215 | % be 'true' in some cases. | ||
216 | userdict /AGM_preserve_spots //false put | ||
217 | |||
218 | -systemdict /CETMODE .knownget | ||
219 | -{ { (gs_cet.ps) runlibfile } if } if | ||
220 | - | ||
221 | % The interpreter will run the initial procedure (start). | ||
222 | diff --git a/Resource/Init/gs_ttf.ps b/Resource/Init/gs_ttf.ps | ||
223 | index 05943c5..da97afa 100644 | ||
224 | --- a/Resource/Init/gs_ttf.ps | ||
225 | +++ b/Resource/Init/gs_ttf.ps | ||
226 | @@ -1421,7 +1421,7 @@ mark | ||
227 | TTFDEBUG { (\n1 setting alias: ) print dup ==only | ||
228 | ( to be the same as ) print 2 index //== exec } if | ||
229 | |||
230 | - 7 index 2 index 3 -1 roll exch //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse | ||
231 | + 7 index 2 index 3 -1 roll exch .forceput | ||
232 | } forall | ||
233 | pop pop pop | ||
234 | } | ||
235 | @@ -1439,7 +1439,7 @@ mark | ||
236 | exch pop | ||
237 | TTFDEBUG { (\n2 setting alias: ) print 1 index ==only | ||
238 | ( to use glyph index: ) print dup //== exec } if | ||
239 | - 5 index 3 1 roll //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse | ||
240 | + 5 index 3 1 roll .forceput | ||
241 | //false | ||
242 | } | ||
243 | { | ||
244 | @@ -1456,7 +1456,7 @@ mark | ||
245 | { % CharStrings(dict) isunicode(boolean) cmap(dict) RAGL(dict) gname(name) codep(integer) gindex(integer) | ||
246 | TTFDEBUG { (\3 nsetting alias: ) print 1 index ==only | ||
247 | ( to be index: ) print dup //== exec } if | ||
248 | - exch pop 5 index 3 1 roll //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse | ||
249 | + exch pop 5 index 3 1 roll .forceput | ||
250 | } | ||
251 | { | ||
252 | pop pop | ||
253 | @@ -1486,7 +1486,7 @@ mark | ||
254 | } ifelse | ||
255 | ] | ||
256 | TTFDEBUG { (Encoding: ) print dup === flush } if | ||
257 | -} bind def | ||
258 | +} .bind executeonly odef % hides .forceput | ||
259 | |||
260 | % to be removed 9.09...... | ||
261 | currentdict /postalias undef | ||
262 | diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps | ||
263 | index 96e1ced..61f5269 100644 | ||
264 | --- a/Resource/Init/gs_type1.ps | ||
265 | +++ b/Resource/Init/gs_type1.ps | ||
266 | @@ -116,7 +116,7 @@ | ||
267 | { % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname aglname | ||
268 | CFFDEBUG { (\nsetting alias: ) print dup ==only | ||
269 | ( to be the same as glyph: ) print 1 index //== exec } if | ||
270 | - 3 index exch 3 index //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse | ||
271 | + 3 index exch 3 index .forceput | ||
272 | % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname | ||
273 | } | ||
274 | {pop} ifelse | ||
275 | @@ -135,7 +135,7 @@ | ||
276 | 3 1 roll pop pop | ||
277 | } if | ||
278 | pop | ||
279 | - dup /.AGLprocessed~GS //true //.growput systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse | ||
280 | + dup /.AGLprocessed~GS //true .forceput | ||
281 | } if | ||
282 | |||
283 | %% We need to excute the C .buildfont1 in a stopped context so that, if there | ||
284 | @@ -148,7 +148,7 @@ | ||
285 | {//.buildfont1} stopped | ||
286 | 4 3 roll .setglobal | ||
287 | {//.buildfont1 $error /errorname get signalerror} if | ||
288 | - } bind def | ||
289 | + } .bind executeonly def % hide .forceput | ||
290 | |||
291 | % If the diskfont feature isn't included, define a dummy .loadfontdict. | ||
292 | /.loadfontdict where | ||
293 | -- | ||
294 | 2.20.1 | ||
295 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch new file mode 100644 index 0000000000..5228cace24 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3835-0004.patch | |||
@@ -0,0 +1,167 @@ | |||
1 | From 5845e667dda3c945ee793fbe6af021533cb4fbec Mon Sep 17 00:00:00 2001 | ||
2 | From: Ray Johnston <ray.johnston@artifex.com> | ||
3 | Date: Sun, 24 Feb 2019 22:01:04 -0800 | ||
4 | Subject: [PATCH] Bug 700585: Obliterate "superexec". We don't need it, nor | ||
5 | do any known apps. | ||
6 | |||
7 | We were under the impression that the Windows driver 'PScript5.dll' used | ||
8 | superexec, but after testing with our extensive suite of PostScript file, | ||
9 | and analysis of the PScript5 "Adobe CoolType ProcSet, it does not appear | ||
10 | that this operator is needed anymore. Get rid of superexec and all of the | ||
11 | references to it, since it is a potential security hole. | ||
12 | |||
13 | CVE: CVE-2019-3835 | ||
14 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
15 | |||
16 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
17 | --- | ||
18 | Resource/Init/gs_init.ps | 18 ------------------ | ||
19 | psi/icontext.c | 1 - | ||
20 | psi/icstate.h | 1 - | ||
21 | psi/zcontrol.c | 30 ------------------------------ | ||
22 | psi/zdict.c | 6 ++---- | ||
23 | psi/zgeneric.c | 3 +-- | ||
24 | 6 files changed, 3 insertions(+), 56 deletions(-) | ||
25 | |||
26 | diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps | ||
27 | index 0d5c4f7..c5ac82a 100644 | ||
28 | --- a/Resource/Init/gs_init.ps | ||
29 | +++ b/Resource/Init/gs_init.ps | ||
30 | @@ -2470,24 +2470,6 @@ DELAYBIND not { | ||
31 | systemdict /.forceundef .undef % ditto | ||
32 | } if | ||
33 | |||
34 | -% Move superexec to internaldict if superexec is defined. (Level 2 or later) | ||
35 | -systemdict /superexec known { | ||
36 | - % restrict superexec to single known use by PScript5.dll | ||
37 | - % We could do this only for SAFER mode, but internaldict and superexec are | ||
38 | - % not very well documented, and we don't want them to be used. | ||
39 | - 1183615869 internaldict /superexec { | ||
40 | - 2 index /Private eq % first check for typical use in PScript5.dll | ||
41 | - 1 index length 1 eq and % expected usage is: dict /Private <value> {put} superexec | ||
42 | - 1 index 0 get systemdict /put get eq and | ||
43 | - { | ||
44 | - //superexec exec % the only usage we allow | ||
45 | - } { | ||
46 | - /superexec load /invalidaccess signalerror | ||
47 | - } ifelse | ||
48 | - } bind cvx executeonly put | ||
49 | - systemdict /superexec .undef % get rid of the dangerous (unrestricted) operator | ||
50 | -} if | ||
51 | - | ||
52 | % Can't remove this one until the last minute :-) | ||
53 | DELAYBIND not { | ||
54 | systemdict /.undef .undef | ||
55 | diff --git a/psi/icontext.c b/psi/icontext.c | ||
56 | index 1fbe486..7462ea3 100644 | ||
57 | --- a/psi/icontext.c | ||
58 | +++ b/psi/icontext.c | ||
59 | @@ -151,7 +151,6 @@ context_state_alloc(gs_context_state_t ** ppcst, | ||
60 | pcst->rand_state = rand_state_initial; | ||
61 | pcst->usertime_total = 0; | ||
62 | pcst->keep_usertime = false; | ||
63 | - pcst->in_superexec = 0; | ||
64 | pcst->plugin_list = 0; | ||
65 | make_t(&pcst->error_object, t__invalid); | ||
66 | { /* | ||
67 | diff --git a/psi/icstate.h b/psi/icstate.h | ||
68 | index 4c6a14d..1009d85 100644 | ||
69 | --- a/psi/icstate.h | ||
70 | +++ b/psi/icstate.h | ||
71 | @@ -54,7 +54,6 @@ struct gs_context_state_s { | ||
72 | long usertime_total; /* total accumulated usertime, */ | ||
73 | /* not counting current time if running */ | ||
74 | bool keep_usertime; /* true if context ever executed usertime */ | ||
75 | - int in_superexec; /* # of levels of superexec */ | ||
76 | /* View clipping is handled in the graphics state. */ | ||
77 | ref error_object; /* t__invalid or error object from operator */ | ||
78 | ref userparams; /* t_dictionary */ | ||
79 | diff --git a/psi/zcontrol.c b/psi/zcontrol.c | ||
80 | index 0362cf4..dc813e8 100644 | ||
81 | --- a/psi/zcontrol.c | ||
82 | +++ b/psi/zcontrol.c | ||
83 | @@ -158,34 +158,6 @@ zexecn(i_ctx_t *i_ctx_p) | ||
84 | return o_push_estack; | ||
85 | } | ||
86 | |||
87 | -/* <obj> superexec - */ | ||
88 | -static int end_superexec(i_ctx_t *); | ||
89 | -static int | ||
90 | -zsuperexec(i_ctx_t *i_ctx_p) | ||
91 | -{ | ||
92 | - os_ptr op = osp; | ||
93 | - es_ptr ep; | ||
94 | - | ||
95 | - check_op(1); | ||
96 | - if (!r_has_attr(op, a_executable)) | ||
97 | - return 0; /* literal object just gets pushed back */ | ||
98 | - check_estack(2); | ||
99 | - ep = esp += 3; | ||
100 | - make_mark_estack(ep - 2, es_other, end_superexec); /* error case */ | ||
101 | - make_op_estack(ep - 1, end_superexec); /* normal case */ | ||
102 | - ref_assign(ep, op); | ||
103 | - esfile_check_cache(); | ||
104 | - pop(1); | ||
105 | - i_ctx_p->in_superexec++; | ||
106 | - return o_push_estack; | ||
107 | -} | ||
108 | -static int | ||
109 | -end_superexec(i_ctx_t *i_ctx_p) | ||
110 | -{ | ||
111 | - i_ctx_p->in_superexec--; | ||
112 | - return 0; | ||
113 | -} | ||
114 | - | ||
115 | /* <array> <executable> .runandhide <obj> */ | ||
116 | /* before executing <executable>, <array> is been removed from */ | ||
117 | /* the operand stack and placed on the execstack with attributes */ | ||
118 | @@ -971,8 +943,6 @@ const op_def zcontrol3_op_defs[] = { | ||
119 | {"0%loop_continue", loop_continue}, | ||
120 | {"0%repeat_continue", repeat_continue}, | ||
121 | {"0%stopped_push", stopped_push}, | ||
122 | - {"1superexec", zsuperexec}, | ||
123 | - {"0%end_superexec", end_superexec}, | ||
124 | {"2.runandhide", zrunandhide}, | ||
125 | {"0%end_runandhide", end_runandhide}, | ||
126 | op_def_end(0) | ||
127 | diff --git a/psi/zdict.c b/psi/zdict.c | ||
128 | index b0deaaa..e2e525d 100644 | ||
129 | --- a/psi/zdict.c | ||
130 | +++ b/psi/zdict.c | ||
131 | @@ -212,8 +212,7 @@ zundef(i_ctx_t *i_ctx_p) | ||
132 | int code; | ||
133 | |||
134 | check_type(*op1, t_dictionary); | ||
135 | - if (i_ctx_p->in_superexec == 0) | ||
136 | - check_dict_write(*op1); | ||
137 | + check_dict_write(*op1); | ||
138 | code = idict_undef(op1, op); | ||
139 | if (code < 0 && code != gs_error_undefined) /* ignore undefined error */ | ||
140 | return code; | ||
141 | @@ -504,8 +503,7 @@ zsetmaxlength(i_ctx_t *i_ctx_p) | ||
142 | int code; | ||
143 | |||
144 | check_type(*op1, t_dictionary); | ||
145 | - if (i_ctx_p->in_superexec == 0) | ||
146 | - check_dict_write(*op1); | ||
147 | + check_dict_write(*op1); | ||
148 | check_type(*op, t_integer); | ||
149 | if (op->value.intval < 0) | ||
150 | return_error(gs_error_rangecheck); | ||
151 | diff --git a/psi/zgeneric.c b/psi/zgeneric.c | ||
152 | index 8048e28..d4edddb 100644 | ||
153 | --- a/psi/zgeneric.c | ||
154 | +++ b/psi/zgeneric.c | ||
155 | @@ -204,8 +204,7 @@ zput(i_ctx_t *i_ctx_p) | ||
156 | |||
157 | switch (r_type(op2)) { | ||
158 | case t_dictionary: | ||
159 | - if (i_ctx_p->in_superexec == 0) | ||
160 | - check_dict_write(*op2); | ||
161 | + check_dict_write(*op2); | ||
162 | { | ||
163 | int code = idict_put(op2, op1, op); | ||
164 | |||
165 | -- | ||
166 | 2.18.1 | ||
167 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch new file mode 100644 index 0000000000..593109fb9f --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0001.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 53f0cb4c54ac951697704cb87d24154ae08aecce Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Wed, 20 Feb 2019 09:54:28 +0000 | ||
4 | Subject: [PATCH] Bug 700576: Make a transient proc executeonly (in | ||
5 | DefineResource). | ||
6 | |||
7 | This prevents access to .forceput | ||
8 | |||
9 | Solution originally suggested by cbuissar@redhat.com. | ||
10 | |||
11 | CVE: CVE-2019-3838 | ||
12 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
13 | |||
14 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
15 | --- | ||
16 | Resource/Init/gs_res.ps | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps | ||
20 | index 89c0ed6..a163541 100644 | ||
21 | --- a/Resource/Init/gs_res.ps | ||
22 | +++ b/Resource/Init/gs_res.ps | ||
23 | @@ -426,7 +426,7 @@ status { | ||
24 | % so we have to use .forceput here. | ||
25 | currentdict /.Instances 2 index .forceput % Category dict is read-only | ||
26 | } executeonly if | ||
27 | - } | ||
28 | + } executeonly | ||
29 | { .LocalInstances dup //.emptydict eq | ||
30 | { pop 3 dict localinstancedict Category 2 index put | ||
31 | } | ||
32 | -- | ||
33 | 2.18.1 | ||
34 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch new file mode 100644 index 0000000000..921e5b6876 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-3838-0002.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From 0cb5e967c0200559f946291b5b54f8da30c32cd6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Chris Liddell <chris.liddell@artifex.com> | ||
3 | Date: Fri, 22 Feb 2019 12:28:23 +0000 | ||
4 | Subject: [PATCH] Bug 700576(redux): an extra transient proc needs | ||
5 | executeonly'ed. | ||
6 | |||
7 | CVE: CVE-2019-3838 | ||
8 | Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] | ||
9 | |||
10 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
11 | --- | ||
12 | Resource/Init/gs_res.ps | 2 +- | ||
13 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps | ||
16 | index a163541..8ce4ae3 100644 | ||
17 | --- a/Resource/Init/gs_res.ps | ||
18 | +++ b/Resource/Init/gs_res.ps | ||
19 | @@ -438,7 +438,7 @@ status { | ||
20 | % Now make the resource value read-only. | ||
21 | 0 2 copy get { readonly } .internalstopped pop | ||
22 | dup 4 1 roll put exch pop exch pop | ||
23 | - } | ||
24 | + } executeonly | ||
25 | { /defineresource cvx /typecheck signaloperror | ||
26 | } | ||
27 | ifelse | ||
28 | -- | ||
29 | 2.18.1 | ||
30 | |||
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb index ad4c5e17d2..bb32347880 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.26.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.26.bb | |||
@@ -39,6 +39,12 @@ SRC_URI = "${SRC_URI_BASE} \ | |||
39 | file://CVE-2019-6116-0005.patch \ | 39 | file://CVE-2019-6116-0005.patch \ |
40 | file://CVE-2019-6116-0006.patch \ | 40 | file://CVE-2019-6116-0006.patch \ |
41 | file://CVE-2019-6116-0007.patch \ | 41 | file://CVE-2019-6116-0007.patch \ |
42 | file://CVE-2019-3835-0001.patch \ | ||
43 | file://CVE-2019-3835-0002.patch \ | ||
44 | file://CVE-2019-3835-0003.patch \ | ||
45 | file://CVE-2019-3835-0004.patch \ | ||
46 | file://CVE-2019-3838-0001.patch \ | ||
47 | file://CVE-2019-3838-0002.patch \ | ||
42 | " | 48 | " |
43 | 49 | ||
44 | SRC_URI_class-native = "${SRC_URI_BASE} \ | 50 | SRC_URI_class-native = "${SRC_URI_BASE} \ |